On 11.05.2016 13:04, Mantas Mikulėnas wrote: > On Wed, May 11, 2016 at 10:57 AM, poma <pomidorabelis...@gmail.com> wrote: > >> >> $ git tag --verify v229 >> object 95adafc428b5b4be0ddd4d43a7b96658390388bc >> type commit >> tag v229 >> tagger Lennart Poettering <lenn...@poettering.net> 1455208658 +0100 >> >> systemd 229 >> gpg: Signature made Thu 11 Feb 2016 05:37:38 PM CET using RSA key ID >> 9C3485B0 >> gpg: Good signature from "Lennart Poettering <lenn...@poettering.net>" >> gpg: aka "Lennart Poettering <lenn...@poettering.de>" >> gpg: aka "Lennart Poettering (Red Hat) < >> lpoet...@redhat.com>" >> gpg: aka "Lennart Poettering (Sourceforge.net) < >> poetter...@users.sourceforge.net>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 63CD A1E5 D3FC 22B9 98D2 0DD6 327F 2695 1A01 5CC4 >> Subkey fingerprint: 16B1 C4EE C0BC 021A C777 F681 B63B 2187 9C34 85B0 >> >> >> How to do this without "gpg: WARNING:" part? >> > > In the pgp trust model – assuming you've already verified the key and are > sure that it really belongs to Lennart – you need to sign (certify) it > either with a public or local signature: > > $ gpg --lsign-key "63CD A1E5 D3FC 22B9 98D2 0DD6 327F 2695 1A01 5CC4" > > In the tofu or tofu+pgp trust model, mark it as good in tofu.db: > > $ gpg --tofu-policy good "63CD A1E5 D3FC 22B9 98D2 0DD6 327F 2695 1A01 > 5CC4" > > (You can try out the new models using "gpg --update-trustdb --trust-model > tofu+pgp".) >
https://www.gnupg.org/news.html GnuPG 2.1.10 released (2015-12-04) "A new version of the modern branch of GnuPG has been released. The main features of this release are support for TOFU ..." Fortunately or not, Fedora still runs on diesel, i.e. 1.4.20 - "the classic portable version" https://koji.fedoraproject.org/koji/packageinfo?packageID=453 so no Tofu in Fedora's kitchen, Mortadella only ;) However reading upon https://en.wikipedia.org/wiki/Trust_on_first_use stands out what is called "strengths" -and- "weakness" "... must initially validate every interaction ..." This sounds rather naive, or shall we say NA²IVE - "Not At All Intelligent Verification Engagement" However, thanks for a great reference. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
